Security Blackbelt Training

BrainShare EMEA 2010

Norbert Klasen
Senior Consultant nklasen@novell.com

Agenda

Business Data Mappings Dynamic Lists and Correlation Rules iTrac

Novell, Inc. All rights reserved.

Business Data Mappings

Data Translation

Add information not present in event generated by source Lookup information in a table Collector

CSV files legacy: TRANSLATE() JavaScript: lookup() e.g. Severity, Taxonomy, descriptive names for numeric constants, DNS resolution

Novell, Inc. All rights reserved.

Mapping Service

Mappings are applied by Event Router in Collector Manager das_query distributes (delta) maps to Collector Managers Map data is cached on Collector Managers

CSV file on $ESEC_HOME/data/map_data

Novell, Inc. All rights reserved.

Point in Time

Data is always injected at the time an event is processed by Sentinel No updates if a relation changes

Novell, Inc. All rights reserved.

Map Definition

Map definition

Column name Column data type

>

Rage support

Key checkbox Separator External Referenced from map

> >

Event Configuration

Boolean Value from map

Novell, Inc. All rights reserved.

SCC Demo

Use Case 1 Identity Tracking

Who did it? Correlate events from various systems that relate to the same person Inject identity information into events person identity accounts Account names

(Init|Target)UserName (Init|Target)UserDomain Possibly multiple nameforms per account

Novell, Inc. All rights reserved.

Novell IDM Integration

ID Vault (IDM) Sentinel Driver (IDM) JMS Message Bus (Sentinel) ID Vault Collector (Sentinel) Identity API (Sentinel) Identity and Account DB Tables/Views (Sentinel) AccountIdentity Mapping Table (Sentinel) Mapping Service (Sentinel)

1 0

Novell, Inc. All rights reserved.

Other Integrations

Generic Identity Collector Microsoft Active Directory (work in progress) Build your own using the SDK

1 1

Novell, Inc. All rights reserved.

Account Identity Map

Keys

MSSPCustomerName UserName UserDomain

Applied to Initiator and Target Values

Identity GUID FullName Department

1 2

Novell, Inc. All rights reserved.

Result

Active View Identity Browser Correlation Rules Reports

1 3

Novell, Inc. All rights reserved.

SCC Demo

Use Case 2 Assets

What does this server do? Is it critical? Inject asset information into events

Hostname MAC Category Description Product Criticality Owner Location

1 5

Novell, Inc. All rights reserved.

Asset Map

Keys

MSSPCustomerName IP

Applied to Initiator, Target, Observer, and Reporter Values

Class Criticality Department (Function) AssetID

1 6

Novell, Inc. All rights reserved.

Integrations

Generic Asset Collector (CSV) Build your own using the SDK

1 7

Novell, Inc. All rights reserved.

SCC Demo

Use Case 2 Advisor

Is an attack directed at a vulnerable system Correlate attacks with vulnerabilities Load scan results into Sentinel Subscribe to Advisor feed Connect IDS

1 9

Novell, Inc. All rights reserved.

IsExploitWatchList Map

Keys

MSSPCustomerName DeviceAttackName DeviceName (e.g. Snort) TargetIP Vulnerability (flag 0 or 1)

Values

2 0

Novell, Inc. All rights reserved.

Dynamic Lists and Correlation Rules

Dynamic Lists

Lists of Elements Distributed Caching and Loockup

Correlation Engines Transient/Persistant Elements Time to Live Maximum Size

List Attributes

Elements can be added and removed manually or automatically

Action

2 2

Inlist operator

Novell, Inc. All rights reserved.

Use Case Effected By Exploit

Detects users who may be at risk for having their account information stolen by the attacker that has exploited the asset, which may in turn enable the attacker to compromise other systems. Prerequisite: Advisor Put exploited asset on dynamic list Create alarm if user logs into such an asset

2 3

Novell, Inc. All rights reserved.

SCC Demo

iTrac

iTrac Definitions

Incident

Actionable condition Preconfigured step Definition of steps to be taken in response to an incident Interactive and automated actions Specific instance of a template that is used actively track an incident

Action

Template

Process

2 6

Novell, Inc. All rights reserved.

ITrac Template Components

Steps

Manual Step (user interaction) Command Step (launch script) Mail Step Decision Step (branch)

Transitions Activities Variables

2 7

Novell, Inc. All rights reserved.

Use Case Access to Exploited Asset

ITRAC Template

Access to Exploitet Asset IdT-Affected By Exploits Creates Incident with attached workflow

Correlation Rule

2 8

Novell, Inc. All rights reserved.

SCC Demo

Unpublished Work of Novell, Inc. All Rights Reserved.

This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.